WannaCry Ransomware Creators Make Rookie Mistake

A bug in the WannaCry ransomware prevented the malicious application from generating individual Bitcoin wallets to collect payments from each of its victims, security researchers have discovered.

WannaCry began wreaking havoc worldwide on May 12, courtesy of a worm component abusing the NSA-linked EternalBlue exploit. Targeting an already addressed Windows SMB vulnerability, the exploit allowed an otherwise typical run-of-the-mill ransomware to become an international threat within hours.

An earlier WannaCry version appears connected to North Korean threat group Lazarus, but the variant used in the still ongoing campaign has nothing out of the ordinary, researchers say. In fact, researchers have already discovered bugs in the malware's code, although the encryption routine hasn’t been cracked as of now.

In a recent tweet, Symantec Security Response reveals that a race condition bug prevented the malware from using a unique Bitcoin address for every victim. The issue resulted in the ransomware using only three wallets for collecting ransom payments, which prevents its operators from tracking the payments to specific victims.

#WannaCry has code to provide unique bitcoin address for each victim but defaults to hardcoded addresses as a result of race condition bug

Security experts have warned countless of times against paying the ransom in the event of a ransomware attack, as making payment does not guarantee that files would be restored. When it comes to the WannaCry attack, it is unlikely that victims would get their files back after paying the ransom.

More than 260 payments have been made to the three Bitcoin addresses associated with the ransomware, allowing the crooks to collect an estimated $78,000 to date from this campaign alone.

According to a recent tweet from Symantec, WannaCry attackers released a version that fixed the Bitcoin bug soon after the original variant, but most infections contain the flaw. However, the attempt to resolve the bug shows that the hackers’ “main goal was to make money,” the security firm says.

Patches, malware and kill-switch slowed the infection

Over 200,000 computers are estimated to have been hit by the ransomware, but that number could have been much higher if it wasn’t for several conditions, starting with the fact that the attack unfolded heading into a weekend, when many vulnerable computers were offline. Microsoft issuing an emergency patch to address the flaw in older Windows versions also helped.

In a rather strange twist of events, a crypto-currency mining botnet that has been spreading using the very same vulnerability might have limited WannaCry’s infection as well. Dubbed Adylkuzz, the botnet blocks SMB networking immediately after infection, thus preventing other malware from compromising the machine using EternalBlue.

More importantly, a great deal of attacks were stopped because security researcher @MalwareTechBlog registered a domain the ransomware would beacon to before starting the infection. The domain acts as a kill-switch, as the malware terminates its process when receiving a response from it. A WannaCry variant with no kill-switch was also observed, apparently patched in a hex editor.

While that variant was supposedly the work of the same cybercriminals, because no change was made to the hardcoded Bitcoin wallets, newer samples feature different addresses, Bitdefender senior e-threat analyst Bogdan Botezatu told SecurityWeek. These variations are believed to come from different crooks and they too were patched on the fly (not recompiled), Botezatu said.

Hundreds of thousands vulnerable and no free decryptor

The kill-switch domain also works as a sinkhole, and data gathered from it reveals that the WannaCry attacks are ongoing, with over 300,000 infections stopped over the past 24 hours, a live tracker shows. The number includes repeated incidents involving the same individual machines, but the number of vulnerable devices is believed to be in the hundreds of thousands range.

“We find that there are over 1 million internet-connected devices that expose SMB on port 445. Of those, over 800,000 run Windows, and — given that these are nodes running on the internet exposing SMB — it is likely that a large percentage of these are vulnerable versions of Windows with SMBv1 still enabled (other researchers estimate up to 30% of these systems are confirmed vulnerable, but that number could be higher),” Rapid7’s Roy Hodgman says.

Because of the encryption implementation in WannaCry, decrypting files for free isn’t possible at the moment, although there might be tools claiming they can restore users’ data, Symantec says. The malware uses two hardcoded public keys, one for demo decryption purposes, and another for the main encryption process.

“Once the malware is running on the victim machine it will generate a new unique RSA 2048 bit asymmetric key pair. This means that each victim needs their own decryption key,” the security firm notes.

After generating the new key pair, the malware exports the public RSA key to a local file, then exports the private RSA key and encrypts it with the hardcoded attacker public key, after which it stores it in another file on disk. Next, it destroys the private key in memory and, because “the lifetime of private victim RSA keys is so limited there is no good option to recover it later once the encryption has happened,” Symantec says.

Because not all files are encrypted using the victim’s RSA public key, for which the private key has been securely encrypted and stored locally, there are tools that can restore some of the victims’ files. According to Symantec, however, only some of the files are actually decryptable.

Some files are recoverable

The good news, however, is that some files can be recovered, especially on older Windows XP versions. While the malware overwrites files stored in Desktop, My Documents, or on any removable disks in the computer at the time of the infection and then deletes them, thus preventing undelete or disk recovery tools from restoring them, it doesn’t do the same for files stored outside these three locations.

For the rest of locations, the malware moves the files to a temporary folder and then normally deletes them, without overwriting them using a wiper. This means that files might be recoverable, but “the recovery ratio may vary from system to system because the deleted file may be overwritten by other disk operations,” Symantec says.

On Windows XP versions SP1 and SP2, because of a pseudo-random number generator (PRNG) vulnerability addressed in Windows XP SP3, one could “predict encryption keys that would be created in the future and, crucially, reveal keys that had been generated in the past.” By exploiting the flaw, an individual could reveal the decryption key in memory, but only if WannaCry is still running.